SameSite is a requirement in latest Chrome starting Feb 2020
Read a very good and easy-to-understand explainer on SameSite
Turns out none of Java-based ecosystem : Servlet/Grails/Spring/Wicket/JBoss/Tomcat/WildFly etc are up to this simple and basic task that is easily handled by all other non-java frameworks like rails, django etc. Bottomline is Servlet API has not implemented this spec and so not possible to do it either via code in Java based frameworks or config file changes in application server containers. So we have to resort to doing this from Apache server.
- Enable the headers module and restart apache2:
sudo a2enmod headers
- Then modify your apache2 conf file to add the Header directive . You’ll have to edit your conf file. I’ve seen online some people editing the httpd.conf and others add a headers.conf file etc. It all depends on which flavour of Unix or Windows or MacOS you are running. You’ll have to figure it out and make the change to wherever it is you usually make such changes to your website. I’m only giving the syntax to add Header directive here.
Header edit Set-Cookie ^(JSESSIONID.*)$ $1;HttpOnly;Secure;SameSite=<Strict|Lax|None>Example:Header edit Set-Cookie ^(JSESSIONID.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=<Strict|Lax|None>Example:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
service apache2 restart
You can then inspect your browser using Developer Console in Safari/Chrome and check the Cookies under Application -> Storage -> Cookies. Both browsers already have 3 new columns to show the values for HttpOnly, Secure and SameSite!
so if i have tomcat 9.0.44 version where i am suppose to add this line or in which file, could you plz let me know what would be configuration for Tomcat 9
Hi! You can find the answer via Google or Stackoverflow. https://www.google.com/search?q=SameSite+tomcat+9